computersecurityfandomcom-20200214-history
Conficker
Conficker (aka Downup, Downadup, Downandup and Kido) is a computer worm that surfaced in October 2008 that targets the Microsoft Windows operating system.Three million hit by Windows worm The worm exploits a known vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.Worst virus in years infects 6.5 mn computers Operation The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim's computer.Conficker Worm Attack Getting Worse: Here's How to Protect Yourself The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.F-Secure Malware Information Pages When infecting a computer, the worm launches an HTTP server on a random TCP port. This is then used to load the worm’s executable file to other computers. The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability in the Server service.Viruslist.com - Net-Worm.Win32.Kido.bt The worm sends a specially crafted RPC request to remote machines, which causes a buffer overrun when the wcscpy_s function is called in netapi32.dll. This launches code which downloads the worm file, launches and installs it on the new victim machine. In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the following passwords to brute force the account: Symptoms * Automatic updates no longer working * Anti-virus software are no longer able to update itself * Unable to access a variety of security sites, such as anti-virus software companies * Random svchost.exe errors * Account lockout policies being reset automatically * Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled * Domain controllers respond slowly to client requests * System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager Patching and Removal On 15 October 2008 Microsoft released a patch to fix the vulnerability.Microsoft Security Bulletin MS08-067 Removal tools are available from Microsofthttp://www.microsoft.com/security/malwareremove/default.mspx, Symantechttp://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3, Kaspersky Labshttp://www.viruslist.com/en/alerts?alertid=203996089 and BitDefender. Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media through modifying the Windows Registry is recommended.Removing and Repairing While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired. References External Links * How to remove the Downadup and Conficker worm (Uninstall instructions) Category:Worms